Viewing Options

The modular design of the Cisco
® XR 12000 Series Routers combines shared port adapters (SPAs) and SPA interface processors (SIPs), and enables service prioritization for data, voice, and video services. This extensible design maximizes connectivity options and offers superior service intelligence through programmable interface processors that deliver line-rate performance. Modularity enhances speed-to-service revenue and provides a rich set of quality of service (QoS) features for premium service delivery while effectively reducing the overall cost of ownership. This data sheet contains the specifications for the Cisco XR 12000 Series IPsec VPN Shared Port Adapter.

PRODUCT OVERVIEW

Service providers and enterprises require ubiquitous and secure connectivity to address today's mission-critical, high-bandwidth applications. Many service providers deploy IPsec VPN technology to geographically extend their existing VPNs, and use IPsec to give remote users access to their corporate VPNs. Enterprises replace their traditional WANs with site-to-site and remote-access VPNs with this technology as well. The Cisco XR 12000 IPsec VPN SPA offers next-generation encryption technology and a form factor designed to enable a more flexible and scalable network infrastructure (see Figure 1).

Figure 1. Cisco XR 12000 IPsec VPN SPA

The Cisco IPsec VPN SPA delivers scalable and cost-effective VPN performance for Cisco XR 12000 Series Routers. Using the Cisco XR 12000 SIP cards (401, 501, and 601), each slot of the Cisco XR 12000 Series Router can support up to two Cisco IPsec VPN SPAs, or any mixture of the Cisco IPsec VPN SPA with other interface SPA types on the same SIP card. Although the Cisco IPsec VPN SPA does not have physical interfaces, it takes advantage of the breadth of interfaces on the Cisco XR 12000 Series Router.

High-speed VPN performance provides up to 2.5 Gbps of AES and 3DES IPsec throughput with large packets and 1.6 Gbps with Internet mix (IMIX) traffic.

Scalability

Up to 20 Cisco IPsec VPN SPAs can be installed in a Cisco 12416 Router (10 slots with 2 SPAs per slot, plus 2 route processors and 4 line cards with line interfaces) to provide up to 50 Gbps of total throughput.

The Cisco IPsec SPA can scale up to 16,000 tunnels for remote access and remote user VPN access. Tunnel establishment is relatively constant for all 16,000 tunnels with an average rate of 100 tunnels per second.

Attractive form factor

Using the Cisco SIP cards, up to 2 Cisco IPsec VPN SPAs can be installed in each slot, or any mixture of the IPsec VPN SPA with other interface SPA types. The half-slot form factor of the SPA reduces slot consumption and increases total performance per slot for flexible mixing and matching.

Note: Support for SPA mixture on the same SIP LC will be introduced in IOS-XR3.5 release.

Jumbo-frame support

The Cisco IPsec VPN SPA supports jumbo frames of up to 9200 bytes without the need for fragmentation.

Full integration of secure VPN into the network infrastructure

The Cisco IPsec VPN SPA supports all the Cisco XR 12000 Series Router interfaces in the chassis. No separate VPN devices are needed within the network, intranet, Internet data center, or point of presence (POP).

The Cisco IPsec VPN support on XR12K harnesses the high-availability capabilities of Cisco IOS XR Software, such as Stateful Switch Over (SSO), In Service Software Upgrade (ISSU), etc. It also supports routing over IPsec tunnels, dead-peer detection (DPD), reverse route injection (RRI), and intra-chassis stateful failover (active-active) for IPsec and GRE. The IPsec capabilities provide superior VPN resiliency and high availability.

Virtual Route Forwarding (VRF)-aware IPsec VPN

VRF-aware IPsec features help enable mapping of IPsec tunnels to VRF instances to provide network-based IPsec VPNs, and the integration of IPsec with Multiprotocol Label Switching (MPLS) VPNs. This feature helps service providers, large enterprises, and other organizations to build secure, scalable, and virtualized VPN services across their network infrastructures.

QoS

The Cisco IPsec VPN SPA provides complete and consistent QoS to support service-level agreements (SLAs) with the same level of QoS that is provided on the Cisco XR 12000 Series for traditional VPN access technologies such as Frame Relay, ATM, and VLANs.

The features listed in Table 1 provide the following benefits for service providers and enterprises:

• Security integrated into network infrastructure - The Cisco IPsec VPN SPA supports Cisco XR 12000 Series Routers. By integrating VPN capabilities into these infrastructure platforms, VPN services can be delivered over a network in which the service provider has no physical presence and remote users can access their corporate VPN securely. Furthermore, the broad range of Cisco XR 12000 Series interfaces and services (including Session Border Control and virtual firewall in the future) can be used within the same platform.

• Industry-leading technology - In addition to DES and 3DES, the Cisco IPsec VPN SPA introduces AES, the new standard in encryption technology demanded by most government agencies and leading financial institutions in the most secure network environments.

• High performance - Each Cisco IPsec VPN SPA can deliver up to 2.5 Gbps of AES and 3DES encrypted data traffic. Additionally, it can terminate up to 16,000 site-to-site or remote-access IPsec tunnels simultaneously and can set up those tunnels at an average establishment rate of 100 new tunnels per second for all 16,000 tunnels.

• Scalable form factor - Each slot of the Cisco XR 12000 Series Router can support up to two Cisco IPsec VPN SPAs. Up to 20 Cisco IPsec VPN SPAs can be combined in a single Cisco 12416 chassis to provide maximum throughput of 50 Gbps. Additionally, the half-slot form factor of the Cisco IPsec VPN SPA allows the customer to reduce slot consumption, potentially reducing cost while enhancing per-slot and overall system encryption performance.

• VPN resiliency and high availability - Using innovative features such as stateful failover for IPsec and support of dynamic routing updates over site-to-site tunnels, the IPsec VPN SPA provides superior VPN resiliency and high availability.

To place an order, visit the
Cisco Ordering Home Page. Table 3 lists ordering information for the Cisco IPsec VPN SPA and SIP cards.

Table 3. Ordering Information

Product Name

Part Number

Cisco XR 12000 Series IPsec VPN Shared Port Adapter

SPA-IPSEC-2G-2

SPA-IPSEC-2G-2=

Cisco XR 12000 Series SPA Interface Processor-401, -501, and -601

12000-SIP-401

12000-SIP-501

12000-SIP-601

CERTIFICATIONS

Cisco is committed to maintaining an active product certification and evaluation program for customers worldwide, and is a leader in providing certified and evaluated products to the marketplace. Cisco will continue to work with international security standards bodies to help shape the future of certified and evaluated products, and will work to accelerate certification and evaluation processes. Certification and evaluation are considered at the earliest part of the company's product development cycle, and Cisco will continue to position its security products to help ensure that customers have certified and evaluated products to meet their needs. For security certification product details, visit:
www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html.

SERVICE AND SUPPORT

Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, refer to
Cisco Technical Support Services or
Cisco Advanced Services.

FOR MORE INFORMATION

For more information about the Cisco XR12000 IPsec VPN SPA and the Cisco SPA/SIP portfolio, visit
http://www.cisco.com/go/spa or contact your local Cisco account representative.